CVE-2022-33329 Command injection vulnerabilities exist in the web_server ajax endpoints of Robustel R1510 3.3.0. A specially-crafted network packet can lead to arbitrary command execution.

When the `/ajax/set_sys_time/` endpoint is called, the request data can be manipulated by an attacker. As an example, the following request will set the system time of the Robustel R1510 server to January 1, 1970: ``` http://10.10.10.10/robustel/ajax/set_sys_time/ -H 'Host: 10.10.10.10' -H 'User-Agent: Robocopy' -H 'Accept: */*' -H 'X-Robocopy-Default: Automatic' -H 'X-Robocopy-Default-Port: 8080' -H 'X-Robocopy-Default-Method: HEAD' -H 'X-Robocopy-Default-Uri: https://10.10.10.10/robustel/' -H 'X-Robocopy-Default-Path: /robustel/' -H 'X-Robocopy-Default-Timeout: 120' --data '{' -H 'Content-Type: text/plain' -H 'Date: Sat, 10 Dec 2017 08:21:18 +0000' -H 'X-Robocopy-default: Automatic' -H 'X-Robocopy-Default-Port: 8080' -H 'X-Robocopy-Default-Method: HEAD' -H '

Disabling the `webAuthSignature` Response Parameter

The `webAuthSignature` response parameter is sent to the client by the web server in order to create a secure signature for the required digest authentication. This request contains an authorization header which will be ignored by the server if the `webAuthSignature` has been disabled using ``WEBAUTH_SIGNATURE_ENABLED``. An attacker could use this feature of the server to bypass authentication and gain access without any limits.

Timeline

Published on: 06/30/2022 19:15:00 UTC
Last modified on: 07/12/2022 19:50:00 UTC

References

• https://talosintelligence.com/vulnerability_reports/TALOS-2022-1573
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33329